I don’t really know why this subject is routinely ignored by users regardless of device or OS. Everyone seems to be concerned with their own security, but it all ends merely on complaining and blaming others, not ourselves.
Maintaining security of an operating system is one of the primary responsibilities of any Linux system administrator. I must say that, its also one of the toughest tasks. You can never be certain, that the machine you’re working on is secure. To be honest, there is no way a machine connected to the Internet, can be called as a secure machine. To be honest, there is no such thing as security the moment you connect to the Internet.
Before we proceed I must tell you something. Don’t get fooled by the phrase –
Linux system administrator.
Don’t think this post is for some geek with glasses, sitting in a dark, smelly room, with empty cans and fast-food containers lying around, staring at thousands of computer screens doing his computer voodoo. No. This post is mainly for you, the Linux user. Believe it or not, you ARE a Linux administrator. You use, maintain, update your Linux system, don’t you? Even if it’s merely a small Raspberry Pi, a laptop or XMBC server, it doesn’t matter at all. Those are still Linux machines, nothing else, and they need your care and attention!
Let’s get back to our point. The only way you can make your computer to be the most secure machine in the world, just by pulling out the Network cable, or ripping your WiFi card out of your computer. If you think a bit deeper you will realize, that its quite true. You cannot make a system completely secure. Even if you don’t connect to the Internet (yeah, you don’t), there still exists a risk for your system to be at risk. You use removable media, mount USB sticks and CD/DVD/Blu-Ray disks that were not created by you. Unix/Linux viruses do exist. Threats to Linux systems are also posed by other forms of malware, such as Trojan horses, rootkits, and spyware. Yeah, don’t believe anyone saying there is no virus for Linux and that Linux is safe and secure! It’s completely untrue! Unix/Linux viruses do exist. Your system won’t be secure unless you take care of it!
In this post, I have created a mini security checklist for a Linux server, consisting of things I think are crucial for maintaining a sane server. I know that not all of them can be implemented everywhere, but for a general Linux usage, they’re an imperative.
Note: As said, this checklist won’t make your system a secure one. However, it would surely reduce the risk of your system being compromised.
- Keep the system updated with latest security patches
- Keep yourself updated with latest vulnerabilities through mailing lists, forums etc.
- Stop and disable unwanted services
- Use SUDO to limit ROOT Access
- SSH security settings
- Tunnel all of your XWindow sessions through SSH
- Create only a required number of users
- Maintain a good firewall policy
- Scan for viruses and other malware!
- Configure SSL/TLS if you are using FTP
- Secure your communication with GPG
- Check file permissions across filesystems
- Bootloader and BIOS security
- Enable remote Logging
- Keep a good password policy
Keep the system updated with latest security patches
You must be aware that this is the first and the most important thing to do for your system. There really exists a widespread belief that Windows should be updated, but Linux is much secure even without the patches and updates. This is totally wrong.
If you have a look at any security report, you will realize that out of all the compromises that took place, most of them occurred because of old vulnerable version of software packages or kernel.
CVE (Common Vulnerability Exposures) vulnerability details, always point towards a specific version of the package and the vendor of the package most of the times already roll out their patches.
Use
aptitude
or
apt-get
package manager, to keep the packages updated. If using Debian-based system, add the security repository to your
souces.list
.
Also, patch your kernel in an organised manner from time to time with latest patches available.
[^TOP^]
Keep yourself updated with latest vulnerabilities through mailing lists, forums etc.
Many open source mailing lists (product specific as well as Linux general), offer detailed information and the relevant fixes required for the latest vulnerabilities.
You should always keep yourself updated about a specific product by subscribing to security mailing lists. Don’t consider it a spam and forget about it. Read the messages posted there at least from time to time.
Examples:
[^TOP^]
Stop and disable unwanted services
You should get to know all the services running on your system, and periodically consult with other users to ensure that only services that are required are running. No unwanted service should be running on your server. Making a list of boot up services from
chkconfig
,
rcconf
or
systemctl
can provide you with a list of services that will come up at boot time. Disabling unwanted services on the server will also improve the server performance wise. Webmin, a web-interface for your system, might come in hand if you don’t feel comfortable enough with command line.
[^TOP^]
Use SUDO to limit ROOT Access
Using
sudo
to restrict user to some critical commands, is advisable. You can easily achieve this by modifying
/etc/sudoers
files.
Sudo
can be configured on a command by command basis,
sudoers
file can be used to control the commands with restrictions.
[^TOP^]
SSH security settings
Almost all Linux machines use SSH service for remote login. You use SSH to access your Raspberry Pi, don’t you? Although SSH is pretty secure by itself, it doesn’t have the ability to protect the server against human mistakes. Some precautions must always be done regarding the SSH protocol.
First of all, disable
root
login through SSH protocol, by modifying the
/etc/ssh/sshd_config
file and setting:
PermitRootLogin no
Make sure that SSH protocol version 2 is used instead of 1 (latest version of the packages use version 2 by default, so no need to modify):
Protocol 2
Bing the default SSH port from 22 to any other (as well as IP, pointing to your machine’s IP):
Port 300
ListenAddress 192.168.1.5
Disable Host-Based Authentication:
HostbasedAuthentication no
Limit only specific users to access your machine via SSH:
AllowUsers user1 user2
Disable password-based authentication and allow public key based authentication. This will help to securely allow users whose public key is deployed on the server to login through SSH. This can be done by modifying the
sshd_config
file on the server as below:
ChallengeResponseAuthentication no
PasswordAuthentication no
PubkeyAuthentication yes
For more tips, head to nixCraft website.
[^TOP^]
Tunnel all of your XWindow sessions through SSH
This will harden the graphical communications which is normally unencrypted. To do this, you need to have the following entry in your
sshd_config
file.
ForwardX11 yes
Now you can connect the server using
ssh -X -c [email protected] -p 123
The
-X
option allows us to use forwarded XWindow system.
The
-p
designates port to connect to if using different port than the default 22.
And
-c
option is a nice way to compress the traffic. Its a good option is you have low bandwidth.
[^TOP^]
Create only a required number of users
This is self-explanatory. There is no need to create thousands of user accounts. Make a list of all user accounts you have on the server, and delete all unwanted users on the system.
[^TOP^]
Maintain a good firewall policy
Write down the IP/subnets that you want to allow access to the machine and allow only them. It’s a good idea to make a firewall script for both inbound and outbound connections and enable the script for the firewall rules.
On most of the Linux firewalls, the order in which the rules are applied matters. So as mentioned, managing all rules for the firewall with a firewall script, and checking periodically the set of rules applied is a good idea.
There are a lot number of firewall’s available for Linux out there, some of them are mentioned below.
- iptables
- ufw
- checkpoint
- shorewall
- pfsense
The important thing that matters is how you configure them, because almost all of them are good at what they do. According to me, iptables, the default firewall for most of the distributions out of the box, will be a good point to start with. You can do almost everything, that you need with this firewall. If you’re interested, here ismy post about iptables, and here you can find an example iptables script.
On top of a firewall, you might want to use additional software, like fail2ban orsnort that running along with your firewall, harden your system.
[^TOP^]
Scan for viruses and other malware!
As mentioned at the beginning, Linux is not virus-proof. In fact, Any computer that is attached to a network is not immune to viruses. The next thing you might want to do is to take a critical look at who’s knocking at your doors. You should also scan your machine for viruses.
To make sure everything that gets into your system is clean and safe useClamA[nti]V[irus]:
To install:
sudo apt-get install clamav
To update:
sudo freshclam
To inspect e.g. your download folder:
sudo clamscan -ri /path/to/your/home/downloads
This will ClamAV do a scan recursively, i.e. also scan the content of folders and inform you about possibly infected files.
To inspect your whole system:
sudo clamscan -irv --exclude=/proc --exclude=/sys --exclude=/dev --exclude=/media --exclude=/mnt
Remember: ClamAV is known for its tight nets. That means that you are likely to get some false positives from time to time. Do a web-search if you’re in doubt in regards to its findings.
To hunt down any rootkits that might infect your system, use RKHunter – which is short for [R]oot[K]itHunter. Installation, again, is simple:
sudo apt-get install rkhunter
The best is to run rkhunter on a clean installation – just to make sure nothing has been tampered with already. Directly after commands like apt-get update && apt-get upgrade run:
sudo rkhunter --propupd
This tells rkhunter: It’s all good.
To run rkhunter:
sudo rkhunter -c --sk
You find rkhunter’s logfile in
/var/log/rkhunter.log
. So when you get a warning you can in detail check out what caused it.
To set up a cronjob for RKHunter:
sudo nano /etc/cron.daily/rkhunter.sh
insert and change the mail-address:
/usr/local/bin/rkhunter
-c --cronjob 2>&1 | mail -s
"RKhunter Scan Details"
[email protected]
|
make the script executable:
sudo chmod +x /etc/cron.daily/rkhunter.sh
update RKHunter:
sudo rkhunter --update
and check if it functions the way it’s supposed to do:
sudo rkhunter -c --sk
Another neat tool with similar functionality is
chkrootkit
. To install:
sudo apt-get install chkrootkit
To run:
sudo chkrootkit
[^TOP^]
Configure SSL/TLS if you are using FTP
FTP is considered to be an insecure protocol. It is advisable that you do the following things while working with FTP service:
- Use the latest version of the FTP package
- Force only required users to login through FTP
- Allow only TLS with FTP access to the server.
- If possible, keep the user in chroot jail.
[^TOP^]
Secure your communication with GPG
You can encrypt communication going from your machine using GPG. It’s a good practice, ensuring no unauthorized access to critical data, like logwatch, system reports, but also protects your own mail and conversations. For more information on GPG head here: GNU Privacy Guard – The Basics.
[^TOP^]
Check file permissions across filesystems
As you might already know, the file permissions play an important role in securing a Linux server. You need to periodically make sure all your important files are given permissions correctly.
Things to check regarding file permissions:
- Check and confirm, if the UMASK value is as required
- Periodically search for files with absurd permissions set on them. Like globally writeable files etc. You can search them using command:
find / -perm -o=w ! -type l -ls
- Use tools like adeos for potential file state. Scanning the whole system with tools like adeos for files with dangerous permissions is a good method to follow. You can get the tool from here. It will search for files which are world writable, SUID etc.
[^TOP^]
Bootloader and BIOS security
Normally, people ignore this step as they always think attackers and intruders are always remote people tying to gain access over the Internet.
Access to BIOS means access to do anything… You can easily boot the system from any disk or other media if you have access to BIOS. So keep a secure password for BIOS. Also, protect your boot loader (GRUB, LILO) with a secure password, so that no one would change your boot options without password.
[^TOP^]
Enable remote Logging
Most of the time intruders and attackers after gaining access to the system, delete the system logs in order to delete any trace of their intrusion. However, if you have remote logging enabled, the attacker now needs to compromise multiple systems to delete the logs (which most of the times is not that easy). You can achieve remote logging with multiple tools like the following:
[^TOP^]
Keep a good password policy
Understand the usage of
chage
command and use it effectively to modify password setting per user. By default, the command will show you the password information of a particular user.
chage --list <username>
Modify the password expiry per user with the help of
chage
command.
chage -M <number of days to expire> <username>
Modify the
/etc/pam.d/system-auth
file to suite your needs. Also check and confirm /
etc/login.defs
(this sets the default settings when a user is created) is as required.
[^TOP^]
I hope you enjoyed the read and found at least one useful thing for your system.
If you have any other tips for keeping the system secure, please let me know, and, most of all, leave a comment.
planetscape says:
